Page 1 of 1
Offset is a register
Posted: Tue Apr 29, 2025 10:27 pm
by Navic
I've been able to replicate how simple "highlighted item" reader scripts function from looking at other people's work. For example this works fine if I use the offset 30 when adding the base address to the table:
Code: Select all
newmem:
mov [base],rbx
code:
mov rax,[rbx+30]
jmp return
base:
dq 0
But I can't seem to figure out how to handle it when the offset is not a number but a register. The code:
Any help would be appreciated.
Re: Offset is a register
Posted: Wed Apr 30, 2025 7:08 am
by imjustmaxie
Navic wrote: ↑Tue Apr 29, 2025 10:27 pm
I've been able to replicate how simple "highlighted item" reader scripts function from looking at other people's work. For example this works fine if I use the offset 30 when adding the base address to the table:
Code: Select all
newmem:
mov [base],rbx
code:
mov rax,[rbx+30]
jmp return
base:
dq 0
But I can't seem to figure out how to handle it when the offset is not a number but a register. The code:
Any help would be appreciated.
My guess is this:
RCX = Base Address
RBX = Offset
RCX+RBX has a value in a form of either a 64-bit memory location, or just some 8 byte value.
RAX stores the value.
You need to set a breakpoint before that instruction and look at which registers probably hold the offset. I assume RBX here is the offset, so look at RBX's value.